Re: SUDOERS: how to setup in a school

From: Michael Heiming (michael+USENET_at_www.heiming.de)
Date: 10/16/04 

Date: Sat, 16 Oct 2004 11:37:23 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.os.linux.security Dr. Robert Meier <worsel@c112927lin.svinfra.compuware.com>:
> Edilmar Alves wrote:
>> I'm teacher of a Linux course, and I'm using Fedora Core 2 to teach
>> how to configure services like DNS, Apache, Proftp, Postfix, SSH,
>> Samba, NFS and NIS. But, for convenience, the first students have
>> to login using ROOT user or a user created with ROOT privileges,
>> to allow to modify configuration files, and restart services into
>> /etc/rc.d/init.d.

>> However, I'd like to know if it is possible to configure SUDOERS
>> for this situation. There are many config. files to change and many
>> services to start/stop, and I'd like to create "student users"
>> with no ROOT access but with privileges to do these configs.
>> Is it possible? Does someone has some sample of this?

> Yes.

Not really, since standard editors like vim allow shell escapes,
as Keith already mentioned, which means you can do anything.

It should be possible to configure webmin to allow something like
this, but even then, what would stop someone from putting some
malicious command into some service init script? And even worse,
your students will learn howto use webmin but won't really get a
clue about unix system V.

To sum it up, suggestion already made which look as if they'd do
the job:

- Use Knoppix, save config to floppy.
- Setup ulm (user mode linux)
- Image the system, if all are the same, so you can easily
  restore them in a second.

I'd add up another one (rh/fedora), create a custom kickstart
floppy installing your system over the LAN, give it to students
at the beginning of a course and let them start the kickstart
installation.

Good luck 

-- 
Michael Heiming (GPG-Key ID: 0xEDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBcQfyAkPEju3Se5QRAl7dAJ9d4vaM2nmnmV0dKXYhN0jOvwFZwwCfSRHR
vMTd3mIQGi3tGFL39MkQwEQ=
=s3zW
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: local mail problem after FC4->FC5 upgrade
    ... All the machines on the network are using NIS for user information. ... This says that a spam daemon exited, then the email was delivered to root. ... changed any of the sendmail configuration files. ... If an old config file was overwritten, it could potentially cause all kinds of havoc on a custom installation. ...
    (comp.mail.misc)
  • Re: BUG: 2.6.25-rc1: iptables postrouting setup causes oops
    ... VFS: Mounted root (nfs filesystem). ... Yes, it looks like memory corruption, especially since the page table ... changing pretty much anything in the kernel config ...
    (Linux-Kernel)
  • Re: BUG: 2.6.25-rc1: iptables postrouting setup causes oops
    ... VFS: Mounted root (nfs filesystem). ... CPU Mode: Supervisor ... changing pretty much anything in the kernel config ...
    (Linux-Kernel)
  • Re: Linux, fast
    ... tend to assume that I am root on the computer. ... in a home directory. ... it is good for, and use tty applications for the rest, including GUI ... has excellent readable config files. ...
    (uk.comp.os.linux)
  • Re: Distro Comparison: How does your distro deal with this issue (hdparm settings)?
    ... You need GnuPG to verify this message ... Perhaps there are GUI tools, but why care, if you just need to vi ... the config file.;) AFAIK with SuSE you can configure it through ...
    (alt.os.linux)